We have about 20 remote branch offices. Office size varies from as small as 2 users per office to as large as 30 users per office. Each office has either a Cisco 1801 or 1841 router that we manage. These routers basically provide DHCP, NAT, and Firewall services for the client computers, and all traffic simply goes out to various ISPs that provide the network for these offices. All computers at these offices are connected to non Cisco and unmanaged switches, which are connected to our routers. We have no control over the end users' computers at these offices, and these users do not access any network resources at the Headquarter. We merely provide internet access for these offices.
I have been reading about NAC, such as in band vs. out of band, virtual gateway vs. real IP gateway, layer2 vs. layer3, but I am not sure how to go about it.
What do you think the most cost effective approach to implement NAC is in this environment?
Since you have a reduced number of users on each site the best for you is to use a centralized server for all your users (the smaller server is a network module for 50 users, appliances go from 100, 300, 500, etc.) For this you'll need to allow Layer 3 connections (this means the end-users will be one or more hops away from your server).
Both Virtual and Real IP gateway should work for you. Depends on what you can do on the current network: Virtual gateway will act as a bridge so there's no need to change the topology on your network, it will work as a simple cable; real-ip gateway will add a hop to the path (will have a different network on each interface), so your topology may be changed a little.
Since sites won't be having access to your network resources the best would be to use out-of-band mode so the users will only authenticate with the NAC appliance and then will run free to the internet; however, since your switches are non Cisco, the communication needed for the Out-of-band is not supported, you'll have to use In-band mode. And all the traffic will need to flow through your NAC appliance...
Got it. In band L3 with either virtual gateway or real IP gateway will work in my environment.
I suppose I should setup site to site VPNs between the HQ and these branch offices. On the HQ's ASA device where VPN tunnels terminate, I should forward all packets to the CAS? CAS will then allow/deny client access to the internet using clients' IP address?
What about DHCP, can I continue using Cisco Routers at these branch offices as DHCP servers?
I believe you should still be able to use your current DHCP settings but to give an accurate answer a deep look into the final design should be done. It depends on how you will end up configuring and connecting everything.
If using In band all the end user traffic will be managed by the CAS so yes, in theory all the traffic from your users will have as default gateway the CAS, after the user is certified, the CAS will redirect the traffic to the next-hop.
The configuration of a L3 deployment seems very simple on the CAS, I believe the difficult part is the network desing to accomplish all the communication between the users, the CAS and the destination, before and after the authentication. I still have some questions on that myself, if you manage to test this successfully I hope we can discuss it further.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...